NetworkMiner 1.1 - Network Forensic Analysis Tool (NFAT) Released
The Hacker News
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

Consider a scenario where you're analyzing a suspicious website, wishing to understand the way that it might try attacking its visitors. One way to approach this challenge is to browse the website using a Windows laboratory system designated for this type of work. In this case, your hope might be to have the system attacked and infected, so you can understand the nature of the threat.There are several tools that could capture relevant details about the attack, so you can analyze them to understand what transpired. For instance, CaptureBAT can capture not only process-level activity on the laboratory system, but also create a pcap file of the observed network traffic. You can also run a dedicated network sniffer, such as tcpdump or Wireshark's dumpcap, or use the sniffer built into NetworkMiner.

Changes for NetworkMiner 1.1:

  • Extraction of parameters sent to Google Analytics into NetworkMiner's "Host Details". These parameters include: screen resolution, color depth, browser language and flash version.
  • You can drag-and-drop one or multiple pcap files onto NetworkMiner.exe to have it start up and begin loading the dropped pcap files. You can also submit your pcap files as arguments from the command line.
  • Multiple SMB/CIFS and NetBIOS improvements, such as support for multiple simultaneous SMB file transfers over the same TCP session as well as support for NetBIOS Session Service keep-alive messages.
  • Added support for Point-to-Point Protocol (PPP) frames in pcap files.
  • Improved stability when loading pcap files. Thanks to psteier for identifying this bug.

This is change log in detail:

  • NetworkMinerForm.cs: Fixed so that one or multiple pcap files can be loaded on startup by drag-n-droping them onto NetworkMiner.exe. Same thing goes for when providing pcap files as command line arguments.
  • PacketHandler.cs: Fixed concurrency issues by locking the correct queue object. Thanks to psteier for being first to find and solve this bug!
  • Added new PacketHandler for NetBiosSessionService
  • PointToPointPacket.cs: Added support for PPP frames in pcap files, such as this one: https://www.pcapr.net/view/tyson.key/2009/8/2/13/Social_Networks_and_RSS_00005_20090929212859.html
  • SmbCommandPacketHander.cs: Added FileID to assembler's ExtendedFileId in order to support multiple simultaneous SMB file transfers over the same TCP session. Thanks to I S for reporting this bug!
  • NetBiosSessionService.cs: Implemented interface ISessionPacket and added support for the NetBios Session Service session keep-alive message
  • WinPCapNative.cs: Changed CallingConvention to Cdecl
  • PcapFileReader.cs: Added a more generic base class "PcapStreamReader" that PcapFileReader extends to parse a FileStream rather than an IO-stream.
  • HttpPacketHandler.cs: Added support to extract data submitted to Google Analytics into "Host Details". This includes attributes like:
    • Screen resolution
    • Color depth
    • Browser language
    • Flash version

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.